Add extendedKeyUsage flag. One of serverAuth, clientAuth,
crlSign, or ocspSigning. Can be used multiple times.

-g, --digest digest

Digest to use for signature creation. One of md5, sha1,
sha224, sha256, sha384, or sha512. The default is
determined based on the type and size of the signature key.

-f, --outform encoding

Encoding of the created certificate file. Either der (ASN.1 DER) or
pem (Base64 PEM), defaults to der.

-b, --ca

Include CA basicConstraint extension in certificate.

-o, --ocsp uri

OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
times.

-p, --pathlen len

Set path length constraint.

-n, --nc-permitted name

Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
dns:
or
email:
prefix to force a constraint type.

-N, --nc-excluded name

Add excluded NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
dns:
or
email:
prefix to force a constraint type.

-M, --policy-mapping issuer-oid:subject-oid

Add policyMapping from issuer to subject OID.

-E, --policy-explicit len

Add requireExplicitPolicy constraint.

-H, --policy-inhibit len

Add inhibitPolicyMapping constraint.

-A, --policy-any len

Add inhibitAnyPolicy constraint.

Certificate Policy

Multiple certificatePolicy extensions can be added. Each with the following
information: